Iterative Boolean combination of classifiers in the ROC space: An application to anomaly detection with HMMs

Hidden Markov models (HMMs) have been shown to provide a high level performance for detecting anomalies in sequences of system calls to the operating system kernel. Using Boolean conjunction and disjunction functions to combine the responses of multiple HMMs in the ROC space may significantly improve performance over a “single best” HMM. However, these techniques assume that the classifiers are conditional independent, and their of ROC curves are convex. These assumptions are violated in most real-world applications, especially when classifiers are designed using limited and imbalanced training data. In this paper, the iterative Boolean combination (IBC) technique is proposed for efficient fusion of the responses from multiple classifiers in the ROC space. It applies all Boolean functions to combine the ROC curves corresponding to multiple classifiers, requires no prior assumptions, and its time complexity is linear with the number of classifiers. The results of computer simulations conducted on both synthetic and real-world host-based intrusion detection data indicate that the IBC of responses from multiple HMMs can achieve a significantly higher level of performance than the Boolean conjunction and disjunction combinations, especially when training data are limited and imbalanced. The proposed IBC is general in that it can be employed to combine diverse responses of any crisp or soft one- or two-class classifiers, and for wide range of application domains.     

A program-based anomaly intrusion detection scheme using multiple detection engines and fuzzy inference

In this paper, a hybrid anomaly intrusion detection scheme using program system calls is proposed. In this scheme, a hidden Markov model (HMM) detection engine and a normal database detection engine have been combined to utilise their respective advantages. A fuzzy-based inference mechanism is used to infer a soft boundary between anomalous and normal behaviour, which is otherwise very difficult to determine when they overlap or are very close. To address the challenging issue of high cost in HMM training, an incremental HMM training with optimal initialization of HMM parameters is suggested. Experimental results show that the proposed fuzzy-based detection scheme can reduce false positive alarms by 48%, compared to the single normal database detection scheme. Our HMM incremental training with the optimal initialization produced a significant improvement in terms of training time and storage as well. The HMM training time was reduced by four times and the memory requirement was also reduced significantly.     

Improving performance of HMM-based off-line signature verification systems through a multi-hypothesis approach

The neural and statistical classifiers employed in off-line signature verification (SV) systems are often designed from limited and unbalanced training data. In this article, an approach based on the combination of discrete Hidden Markov Models (HMMs) in the ROC space is proposed to improve the performance of these systems. Inspired by the multiple-hypothesis principle, this approach allows the system to select, from a set of different HMMs, the most suitable solution for a given input sample. By training an ensemble of user-specific HMMs with different number of states and different codebook sizes, and then combining these models in the ROC space, it is possible to construct a composite ROC curve that provides a more accurate estimation of system performance. Moreover, in testing mode, the corresponding operating points—which may be selected dynamically according to the risk associated with input samples—can significantly reduce the error rates. Experiments performed by using a real-world off-line SV database, with random, simple and skilled forgeries, indicate that the multi-hypothesis approach can reduce the average error rates by more than 17%, as well as the number of HMM states by 48%.     

Sequential anomaly detection based on temporal-difference learning: Principles,models and case studies

Anomaly detection is an important problem that has been popularly researched within diverse research areas and application domains. One of the open problems in anomaly detection is the modeling and prediction of complex sequential data, which consist of a series of temporally related behavior patterns. In this paper, a novel sequential anomaly detection method based on temporal-difference (TD) learning is proposed, where the anomaly detection problem of multi-stage cyber attacks is considered as an application case. A Markov reward process model is presented for the anomaly detection and alarming process of sequential data and it is verified that when the reward function is properly defined, the anomaly probabilities of sequential behaviors are equivalent to the value functions of the Markov reward process. Therefore, TD learning algorithms in the reinforcement learning literature can be used to efficiently construct anomaly detection models of complex sequential behaviors by estimating the value functions of the Markov reward process. Compared with other machine learning methods for anomaly detection, the proposed approach has the advantage of simplified labeling process using delayed evaluative signals and the prediction accuracy can be improved even if labeled training data are limited. Based on the experimental results on intrusion detection of host computers using system call data, it was shown that the proposed anomaly detection method can achieve higher or at least comparable detection accuracies than other approaches including SVMs, and HMMs.     

Dynamic selection of generative–discriminative ensembles for off-line signature verification

In practice, each writer provides only a limited number of signature samples to design a signature verification (SV) system. Hybrid generative–discriminative ensembles of classifiers (EoCs) are proposed in this paper to design an off-line SV system from few samples, where the classifier selection process is performed dynamically. To design the generative stage, multiple discrete left-to-right Hidden Markov Models (HMMs) are trained using a different number of states and codebook sizes, allowing the system to learn signatures at different levels of perception. To design the discriminative stage, HMM likelihoods are measured for each training signature, and assembled into feature vectors that are used to train a diversified pool of two-class classifiers through a specialized Random Subspace Method. During verification, a new dynamic selection strategy based on the K-nearest-oracles (KNORA) algorithm and on Output Profiles selects the most accurate EoCs to classify a given input signature. This SV system is suitable for incremental learning of new signature samples. Experiments performed with real-world signature data (composed of genuine samples, and random, simple and skilled forgeries) indicate that the proposed dynamic selection strategy can significantly reduce the overall error rates, with respect to other EoCs formed using well-known dynamic and static selection strategies. Moreover, the performance of the SV system proposed in this paper is significantly greater than or comparable to that of related systems found in the literature.     

An adaptive sensor network for home intrusion detection by human activity profiling

An adaptive sensor network for home intrusion detection is proposed. The sensor network combines profile-based anomaly detection and adaptive information processing based on hidden Markov models (HMM) that allow the system to train and tune the profiles automatically. The trade-off between miss-alarms and false alarms has been studied experimentally. Several types of hypothetical intrusion have been tested and successfully detected. However, hypothetical anomalies such as supposing that a resident has fallen down due to sudden illness have been difficult to detect.     

Ensemble methods for anomaly detection and distributed intrusion detection in Mobile Ad-Hoc Networks

This paper examines the problem of distributed intrusion detection in Mobile Ad-Hoc Networks (MANETs), utilizing ensemble methods. A three-level hierarchical system for data collection, processing and transmission is described. Local IDSs (intrusion detection systems) are attached to each node of the MANET, collecting raw data of network operation, and computing a local anomaly index measuring the mismatch between the current node operation and a baseline of normal operation. Anomaly indexes from nodes belonging to a cluster are periodically transmitted to a cluster head, which averages the node indexes producing a cluster-level anomaly index. Cluster heads periodically transmit these cluster-level anomaly indexes to a manager which averages them.On the theoretical side, we show that averaging improves detection rates under very mild conditions concerning the distributions of the anomaly indexes of the normal class and the anomalous class. On the practical side, the paper describes clustering algorithms to update cluster centers and machine learning algorithms for computing the local anomaly indexes. The complete suite of algorithms was implemented and tested, under two types of MANET routing protocols and two types of attacks against the routing infrastructure. Performance evaluation was effected by determining the receiver operating characteristics (ROC) curves and the corresponding area under the ROC curve (AUC) metrics for various operational conditions. The overall results confirm the theoretical developments related with the benefits of averaging with detection accuracy improving as we move up in the node–cluster–manager hierarchy.     

基于IPMeans-KELM的入侵检测算法研究

目前入侵检测系统中普遍存在数据维度高、数据量大、训练难等问题。在入侵检测系统中应用核极限学习机（KELM）算法,使其能够适应大量高维数据的训练,且学习速度快无需调整网络的输入权值,降低了检测系统的训练难度。但是由于入侵数据集的不均衡性、噪音干扰性、分布不均性等,直接影响了KELM的分类性能。因此,针对入侵数据处理问题,提出了一种基于IPMeans-KELM的入侵检测算法。该算法首先利用改进的PSO优化K-means算法（IPMeans）对入侵数据进行聚类处理,增加相同数据类型的聚集度,然后对处理后的数据进行10-CV分割,将分割的10份数据轮流训练KELM分类器,把测试数据通过训练好的KELM分类器进行测试,输出分类器检测率的平均值,如果检测效果不满足期望条件,则进行循环处理,直至条件满足。在Matlab平台上进行了对比实验,实验结果表明该算法在有效地提高了入侵检测率的同时降低了误报率。     

CREBAD：基于芯片辐射的物联网设备异常检测方案

随着物联网的飞速发展,物联网设备的安全问题受到了广泛的关注.物联网设备的软硬件特性导致其极易遭受各类攻击.对物联网设备的异常检测成为近年的热点,传统的基于入侵检测、流量分析等防护方式无法适用于物联网设备的软硬件环境.针对这一问题,提出了基于芯片辐射的异常检测方案,以物联网设备在工作时向外辐射的电磁波信号作为检测依据,采用遗传算法和近似熵理论对原始信号进行特征提取和选择后,利用一类支持向量机对正常行为产生的辐射信号进行训练.该方案具有无侵入的特性,无需对原有系统进行任何软硬件改造,适用于现有物联网设备.最后的实验结果表明：与其他常用的异常检测方案相比,该方案能够更有效地检测物联网设备的异常行为,具有较高的准确性和较低的误报率.     

基于HMM和STIDE的异常入侵检测方法

入侵检测是对正在发生或已经发生的入侵行为的一种识别过程。异常检测是入侵检测的主要分析方法之一。该文在传统的使用单一入侵检测算法的基础上,提出一种基于HMM和STIDE复合算法的异常入侵检测方法。HMM和STIDE复合算法被用来区分未知的行为是合法操作还是一次入侵。实验证明该方法具有低虚警率和高检测率。     

在HMM中状态停留时间的模型化及不同特征参数的组合

在传统的隐马尔可夫模型中,模型在某状态停留一定时间的概率随着时间的增长呈指数下降的趋势。文中使用依赖于时间的状态转移概率对状态停留时间予以刻画。首先,在采用相同特征矢量下进行了修改后的隐马尔可夫模型和传统隐马尔可夫模型的比较和分析。其次,对不同特征矢量的组合进行了对比实验。另外,在进行不同参数的组合时,文中考虑了不同特征参数及其维数对观察矢量概率输出的影响。     

Robust combination of neural networks and hidden Markov models for speech recognition

Acoustic modeling in state-of-the-art speech recognition systems usually relies on hidden Markov models (HMMs) with Gaussian emission densities. HMMs suffer from intrinsic limitations, mainly due to their arbitrary parametric assumption. Artificial neural networks (ANNs) appear to be a promising alternative in this respect, but they historically failed as a general solution to the acoustic modeling problem. This paper introduces algorithms based on a gradient-ascent technique for global training of a hybrid ANN/HMM system, in which the ANN is trained for estimating the emission probabilities of the states of the HMM. The approach is related to the major hybrid systems proposed by Bourlard and Morgan and by Bengio, with the aim of combining their benefits within a unified framework and to overcome their limitations. Several viable solutions to the "divergence problem"-that may arise when training is accomplished over the maximum-likelihood (ML) criterion-are proposed. Experimental results in speaker-independent, continuous speech recognition over Italian digit-strings validate the novel hybrid framework, allowing for improved recognition performance over HMMs with mixtures of Gaussian components, as well as over Bourlard and Morgan's paradigm. In particular, it is shown that the maximum a posteriori (MAP) version of the algorithm yields a 46.34% relative word error rate reduction with respect to standard HMMs.     

Analysis of 3D Hand Trajectory Gestures Using Stroke-Based Composite Hidden Markov Models

We present a glove-based hand gesture recognition system using hidden Markov models (HMMs) for recognizing the unconstrained 3D trajectory gestures of operators in a remote work environment. A Polhemus sensor attached to a PinchGlove is employed to obtain a sequence of 3D positions of a hand trajectory. The direct use of 3D data provides more naturalness in generating gestures, thereby avoiding some of the constraints usually imposed to prevent performance degradation when trajectory data are projected into a specific 2D plane. We use two kinds of HMMs according to the basic units to be modeled: gesture-based HMM and stroke-based HMM. The decomposition of gestures into more primitive strokes is quite attractive, since reversely concatenating stroke-based HMMs makes it possible to construct a new set of gesture-based HMMs. Any deterioration in performance and reliability arising from decomposition can be remedied by a fine-tuned relearning process for such composite HMMs. We also propose an efficient method of estimating a variable threshold of reliability for an HMM, which is found to be useful in rejecting unreliable patterns. In recognition experiments on 16 types of gestures defined for remote work, the fine-tuned composite HMM achieves the best performance of 96.88% recognition rate and also the highest reliability.     

适应类别增量的决策树训练算法

对于模式经常发生变化的客户资信评估、垃圾邮件检测和网络入侵检测等在线分类系统来说，自动感知客观存在的新类别，并让系统中的分类器对此作出自适应调整是其正确持续运行必须解决的问题。该文提出了一种适应新类别增加的决策树训练算法，该算法在新类别已检出的前提下，在原有决策树基础上利用新类别样本增量训练出新的决策树。实验结果表明：该文提出的算法可以较好地解决该问题，而与重新训练新决策树相比，它在分类器离线调整上较少的时间花费使其适用于在线分类系统。     

基于兴趣度的关联规则挖掘算法

对于模式经常发生变化的客户资信评估、垃圾邮件检测和网络入侵检测等在线分类系统来说，自动感知客观存在的新类别，并让系统中的分类器对此作出自适应凋整是其正确持续运行必须解决的问题。该文提出了一种适应新类别增加的决策树训练算法，该算法在新类别已检出的前提下，在原有决策树基础上利用新类别样本增量训练出新的决策树。实验结果表明：该文提出的算法可以较好地解决该问题，而与重新训练新决策树相比，它在分类器离线调整上较少的时间花费使其适用于在线分类系统。     

Classification of process trends based on fuzzified symbolic representation and hidden Markov models

This paper presents a strategy to represent and classify process data for detection of abnormal operating conditions. In representing the data, a wavelet-based smoothing algorithm is used to filter the high frequency noise. A shape analysis technique called triangular episodes then converts the smoothed data into a semi-qualitative form. Two membership functions are implemented to transform the quantitative information in the triangular episodes to a purely symbolic representation. The symbolic data is classified with a set of sequence matching hidden Markov models (HMMs), and the classification is improved by utilizing a time correlated HMM after the sequence matching HMM. The method is tested on simulations with a non-isothermal CSTR and compared with methods that use a back-propagation neural network with and without an ARX model.     

基于隐Markov模型的协议异常检测

入侵检测是网络安全领域的研究热点,协议异常检测更是入侵检测领域的研究难点.提出一种新的基于隐Markov模型(HMM)的协议异常检测模型.这种方法对数据包的标志位进行量化,得到的数字序列作为HMM的输入,从而对网络的正常行为建模.该模型能够区分攻击和正常网络数据.模型的训练和检测使用DARPA1999年的数据集,实验结果验证了所建立模型的准确性,同现有的基于Markov链(Markov chain)的检测方法相比,提出的方法具有较高的检测率.     

Speaker adaptation in a large-vocabulary Gaussian HMM recognizer

The problem of using a small amount of speech data to adapt a set of Gaussian HMMs (hidden Markov models) that have been trained on one speaker to recognize the speech of another is considered. The authors experimented with a phoneme-dependent spectral mapping for adapting the mean vectors of the multivariate Gaussian distributions (a method analogous to the confusion matrix method that has been used to adapt discrete HMMs), and a heuristic for estimating covariance matrices from small amounts of data. The best results were obtained by training the mean vectors individually from the adaptation data and using the heuristic to estimate distinct covariance matrices for each phoneme     

Evaluation of incremental learning algorithms for HMM in the recognition of alphanumeric characters

We present an evaluation of incremental learning algorithms for the estimation of hidden Markov model (HMM) parameters. The main goal is to investigate incremental learning algorithms that can provide as good performances as traditional batch learning techniques, but incorporating the advantages of incremental learning for designing complex pattern recognition systems. Experiments on handwritten characters have shown that a proposed variant of the ensemble training algorithm, employing ensembles of HMMs, can lead to very promising performances. Furthermore, the use of a validation dataset demonstrated that it is possible to reach better performances than the ones presented by batch learning.